Closed ainar-g closed 3 years ago
Neither semgrep nor ruleguard have the data flow smarts to handle this. At best we could maybe flag some suspicious patterns, but it's not clear what those would look like without vast quantities of false positives.
I see, thanks. If we consider the “simple stupid” solution, where semgrep
just marks all such conversions as suspicious, to be too noisy, then I think this issue can be closed.
See dominikh/go-tools#101 and dominikh/go-tools#943. I'm not sure if
semgrep
orruleguard
are able to trace that a value has been checked, but perhaps outlawing all such conversions “just in case” could also be reasonable?(More of a “maybe” issue, feel free to close if it doesn't seem viable.)